#region Copyright notice and license

// Copyright 2019 The gRPC Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#endregion

namespace Grpc.Core;

/// <summary>
/// Callback invoked with the expected targetHost and the peer's certificate.
/// If false is returned by this callback then it is treated as a
/// verification failure and the attempted connection will fail.
/// Invocation of the callback is blocking, so any
/// implementation should be light-weight.
/// Note that the callback can potentially be invoked multiple times,
/// concurrently from different threads (e.g. when multiple connections
/// are being created for the same credentials).
/// </summary>
/// <param name="context">The <see cref="T:Grpc.Core.VerifyPeerContext"/> associated with the callback</param>
/// <returns>true if verification succeeded, false otherwise.</returns>
/// Note: experimental API that can change or be removed without any prior notice.
public delegate bool VerifyPeerCallback(VerifyPeerContext context);

/// <summary>
/// Client-side SSL credentials.
/// </summary>
public sealed class SslCredentials : ChannelCredentials
{
    readonly string? rootCertificates;
    readonly KeyCertificatePair? keyCertificatePair;
    readonly VerifyPeerCallback? verifyPeerCallback;

    /// <summary>
    /// Creates client-side SSL credentials loaded from
    /// disk file pointed to by the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable.
    /// If that fails, gets the roots certificates from a well known place on disk.
    /// </summary>
    public SslCredentials() : this(null, null, null)
    {
    }

    /// <summary>
    /// Creates client-side SSL credentials from
    /// a string containing PEM encoded root certificates.
    /// </summary>
    public SslCredentials(string rootCertificates) : this(rootCertificates, null, null)
    {
    }

    /// <summary>
    /// Creates client-side SSL credentials.
    /// </summary>
    /// <param name="rootCertificates">string containing PEM encoded server root certificates.</param>
    /// <param name="keyCertificatePair">a key certificate pair.</param>
    public SslCredentials(string rootCertificates, KeyCertificatePair keyCertificatePair) :
        this(rootCertificates, keyCertificatePair, null)
    {
    }

    /// <summary>
    /// Creates client-side SSL credentials.
    /// </summary>
    /// <param name="rootCertificates">string containing PEM encoded server root certificates.</param>
    /// <param name="keyCertificatePair">a key certificate pair.</param>
    /// <param name="verifyPeerCallback">a callback to verify peer's target name and certificate.</param>
    /// Note: experimental API that can change or be removed without any prior notice.
    public SslCredentials(string? rootCertificates, KeyCertificatePair? keyCertificatePair, VerifyPeerCallback? verifyPeerCallback)
    {
        this.rootCertificates = rootCertificates;
        this.keyCertificatePair = keyCertificatePair;
        this.verifyPeerCallback = verifyPeerCallback;
    }

    /// <summary>
    /// PEM encoding of the server root certificates.
    /// </summary>
    public string? RootCertificates
    {
        get
        {
            return this.rootCertificates;
        }
    }

    /// <summary>
    /// Client side key and certificate pair.
    /// If null, client will not use key and certificate pair.
    /// </summary>
    public KeyCertificatePair? KeyCertificatePair
    {
        get
        {
            return this.keyCertificatePair;
        }
    }

    /// <summary>
    /// Populates channel credentials configurator with this instance's configuration.
    /// End users never need to invoke this method as it is part of internal implementation.
    /// </summary>
    public override void InternalPopulateConfiguration(ChannelCredentialsConfiguratorBase configurator, object state)
    {
        configurator.SetSslCredentials(state, rootCertificates, keyCertificatePair, verifyPeerCallback);
    }

    internal override bool IsComposable => true;
}
